First Flight #9: Soulmate

First Flight #9

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Lack of Access Control in initVault Allows Front-Running

paprikrumplikas

Summary

Vault::initVault lacks adequate access control mechanisms. This function is critical for initializing the vault with the LoveToken contract and setting the corresponding manager contract. However, malicious actors can monitor pending transactions within the Ethereum mempool and execute a transaction calling initVault with unauthorized parameters before the original transaction is confirmed. This vulnerability arises because any user can call initVault without restrictions, leading to potential unauthorized initialization.

Vulnerability Details

The Ethereum mempool is a holding area for transactions awaiting confirmation. Transactions in the mempool are publicly visible, allowing actors to observe and potentially exploit transactions that are not yet confirmed. The initVault function's current implementation does not restrict who can call it, nor does it ensure that the call comes from a trusted source. Consequently, an attacker can front-run the legitimate initialization transaction by submitting a similar call with a higher gas price, ensuring their transaction is confirmed first. This could result in the vault being initialized with an attacker-controlled manager contract, compromising the integrity and security of the vault and associated funds or operations.

Impact

Successful front-running of the initVault function call can lead to several adverse outcomes, including but not limited to:

Unauthorized control over the vault, including redirection of funds or manipulation of token distributions.
Loss of confidence in the security and reliability of the protocol, potentially deterring user participation.
Financial losses for users and the protocol due to unauthorized access and potential exploitation.

The protocol is forced to redeploy its contracts.

Tools Used

Manual review.

Recommendations

Add access control to Vault::initVault as follows:

+ modifier onlyOwner() {

+ require(msg.sender == owner, "Caller is not the owner");

+ _;

+ }

+ constructor() {

+ owner = msg.sender;

+ }

- function initVault(ILoveToken loveToken, address managerContract) public {

+ function initVault(ILoveToken loveToken, address managerContract) public onlyOwner {

if (vaultInitialize) revert Vault__AlreadyInitialized();

loveToken.initVault(managerContract);

vaultInitialize = true;

}

Updates

Lead Judging Commences

0xnevi Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Other

Rewards breakdown

nSLOC

233

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.